-
Sylvain Defresne authored
The shutdown of the application was failing with UAF during the destruction of ApplicationBreadcrumbsLogger because it tried to record a "Shutdown" event which was forwarded to all observers by BreadcrumbManager. The UAF was caused by BreadcrumbPersistentStorageManager that was owned by ApplicationContextImpl but registered as an observer by ApplicationBreadcrumbsLogger. As ApplicationBreadcrumbsLogger is destroyed after BreadcrumbPersistentStorageManager, thus the observer was only removed after the object was deleted. This UAF is fixed by moving the ownership of the instance of BreadcrumbPersistentStorageManager to ApplicationBreadcrumbsLogger. Fixing this revealed another issue regarding ordering of the events as BreadcrumbPersistentStorageManager uses a TaskRunner to persist the events. The TaskRunner are invalidated when WebMainLoop is destroyed which happens before ApplicationContextImpl destruction. To fix this, it is necessary to destroy ApplicationBreadcrumbsLogger before the thread pool is destroyed, thus in StartTearDown(). Bug: 1160669 Change-Id: I7957d0b15535e1ea9afe93e42791d680e1f3e153 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2599798 Commit-Queue: Sylvain Defresne <sdefresne@chromium.org> Reviewed-by:
Olivier Robin <olivierrobin@chromium.org> Auto-Submit: Sylvain Defresne <sdefresne@chromium.org> Cr-Commit-Position: refs/heads/master@{#838661}
dd212973
